Vulna Adware Threatens Millions of Android App Downloads

A widely used Android mobile ad library which was available on Google Play has been identified as posing a significant threat to mobile users, allowing potential attackers to “perform dangerous operations such as downloading and running new components on demand.”

Dubbed “Vulna” by researchers for its “vulnerable and aggressive” collection of sensitive data, the ad library could be leveraged to conduct attacks on potentially millions of users – a threat of such magnitude that the researchers have declined to identify the specific library by name, though they have notified both Google and the library’s vendor of the problem.

“We have analyzed all Android apps with over one million downloads on Google Play, and we found that over 1.8% of these apps used Vulna. These affected apps have been downloaded more than 200 million times in total,” the researchers discovered.

Mobile ad libraries are software developed by a third-party and used display advertisements by other “host apps” and collect and IMSI and IMEI device identifiers, but Vulna has the capability to collect call record details, SMS text messages, and allow for the execution of malicious code.

“Vulna is aggressive—if instructed by its server, it will collect sensitive information such as text messages, phone call history, and contacts. It also performs dangerous operations such as executing dynamically downloaded code. Second, Vulna contains a number of diverse vulnerabilities. These vulnerabilities when exploited allow an attacker to utilize Vulna’s risky and aggressive functionality to conduct malicious activity, such as turning on the camera and taking pictures without user’s knowledge, stealing two-­factor authentication tokens sent via SMS, or turning the device into part of a botnet,” the researchers determined.

“We have analyzed all Linux Android apps with over one million downloads on Google Play, and we found that over 1.8% of these apps used Vulna. These affected apps have been downloaded more than 200 million times in total.”